MODULE - 1

PART – 4: DECEPTION TECHNOLOGY

What is Deception Technology in Cyber Security?
• The aim of Deception technology is to prevent a cybercriminal that has
managed to infiltrate a network from doing any significant damage.
• The technology works by generating traps or deception decoys that mimic
legitimate technology assets throughout the infrastructure.
• These decoys can run in a virtual or real operating system environment and
are designed to trick the cybercriminal into thinking they have discovered a
way to escalate privileges and steal credentials.
• Once a trap is triggered, notifications are broadcast to a centralized
deception server that records the affected decoy and the attack vectors
that were used by the cybercriminal.
Honeypot as a Deception Technology
• A honeypot is a network-attached system set up as a decoy to lure
cyberattackers and to detect, deflect or study hacking attempts. They're
used by security researchers as well as IT companies.
• There are many applications and use cases for honeypots, as they work to
divert malicious traffic away from important systems, get an early warning
of a current attack before critical systems are hit, and gather information
about attackers and their methods.
• For a honeypot to work, the system should appear to be legitimate. It
should run processes a production system is expected to run, and contain
seemingly important dummy files.
Honeypot as a Deception Technology (Contd.)
Honeypot as a Deception Technology (Contd.)
• It’s also a good idea to place a honeypot behind your corporate firewall—not
only does it provide important logging and alerting capabilities, but you can
block outgoing traffic so that a compromised honeypot cannot be used to
pivot toward other internal asset.
• In terms of objectives, there are two types of honeypots: research and
production honeypots.
• Research Honeypots - Research honeypots gather information about attacks
and are used specifically for studying malicious behavior out in the wild.
• Production Honeypots - Production honeypots, on the other hand, are
focused on identifying active compromise on your internal network and
tricking the attacker.
Honeypot as a Deception Technology (Contd.)
• Honeypots can be categorized according to their build and complexity -
Low-interaction and High-interaction Honeypots.
• Low-interaction Honeypots – They use fewer resources and collect basic
information about the level and type of threat and where it is coming from.
They are easy and quick to set up. There's nothing in the honeypot to
engage the attacker for very long.
• High-interaction Honeypots – They aim to get hackers to spend as much
time as possible within the honeypot, giving plenty of information about
their intentions and targets, as well as the vulnerabilities they are
exploiting and their method of working.
Honeypot as a Deception Technology (Contd.)
• Several honeypot technologies in use include the following:
• Email traps (Spam Traps) – They place a fake email address in a hidden
location where only an automated address harvester will be able to find it .
It's 100% certain that any mail coming to it is spam. The source IP of these
senders can be added to a blacklist.
• Decoy database – It can be set up to monitor software vulnerabilities and
spot attacks exploiting insecure system architecture or using SQL injection,
SQL services exploitation, or privilege abuse.
• Malware honeypot - It mimics software apps and APIs to invite malware
attacks. The characteristics of the malware can then be analyzed to
develop anti-malware software or to close vulnerabilities in the API.
Honeypot as a Deception Technology (Contd.)
• Spider honeypot – It is intended to trap webcrawlers ('spiders') by creating
web pages and links only accessible to crawlers. Detecting crawlers can
help you learn how to block malicious bots, as well as ad-network crawlers.
• Honeynets - Honeynets are a logical extension of the honeypot concept. A
honeynet is a series of networked honeypots. By watching attackers move
across the network from file servers to web servers, for instance, we'll have
a better sense of what they're doing and how they're doing it.
NOTE - A web crawler, also referred to as a search engine bot or a website spider, is a
digital bot that crawls across the World Wide Web to find and index pages for search
engines.
Search engines don’t magically know what websites exist on the Internet. The programs
have to crawl and index them before they can deliver the right pages for keywords and
phrases, or the words people use to find a useful page.
Honeypot as a Deception Technology (Contd.)

• Benefits of using Honeypots

• Honeypots can be a good way to expose vulnerabilities in major systems.
• They can also suggest ways in which security could be improved.
• They break the attacker kill chain and slow attackers down.
• Honeypots have a low false positive rate as compared to IDS.
• Honeypots can give reliable intelligence about how threats are evolving.
• Honeypots are also great training tools for technical security staff.
• Honeypots can also catch internal threats.
Honeypot as a Deception Technology (Contd.)

• Disadvantages of using Honeypots

• Just because a certain threat hasn't been directed against the honeypot,
you can't assume it doesn't exist.
• An attacker can create spoofed attacks to distract attention from a real
exploit being targeted against your production systems.
• A smart attacker could potentially use a honeypot as a way into your
systems.
• Deployment, maintenance and analysis costs are involved.
THANK YOU